From: Andy Adamson <andros@netapp.com>
Date: Tue, 27 Nov 2012 15:34:19 +0000 (-0500)
Subject: SUNRPC handle EKEYEXPIRED in call_refreshresult
X-Git-Tag: v3.8-rc1~72^2~13
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb96d5c97b0825d542e9c4ba5e0a22b519355166;p=pandora-kernel.git

SUNRPC handle EKEYEXPIRED in call_refreshresult

Currently, when an RPCSEC_GSS context has expired or is non-existent
and the users (Kerberos) credentials have also expired or are non-existent,
the client receives the -EKEYEXPIRED error and tries to refresh the context
forever.  If an application is performing I/O, or other work against the share,
the application hangs, and the user is not prompted to refresh/establish their
credentials. This can result in a denial of service for other users.

Users are expected to manage their Kerberos credential lifetimes to mitigate
this issue.

Move the -EKEYEXPIRED handling into the RPC layer. Try tk_cred_retry number
of times to refresh the gss_context, and then return -EACCES to the application.

Signed-off-by: Andy Adamson <andros@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
---

Reading git-diff-tree failed